On May 23, 2018, at 11:51 AM, Jeroen van Kessel <krabbedoelie@hotmail.com> wrote:
I am trying to setup FreeRADIUS 3.0.12 ARM (Pi3) with Yubikeys to authenticate on the 802.1X TP-Link EAP245 access point.
Installed: latest raspbian, freeradius plus freeradius-yubikey
Local radtest authentication works through PAP. However, the access point is establishing an TLS-EAP connection with FreeRADIUS. The YubiKey does not process the YubiKey one time password according to the debugger:
(1) yubikey: No cleartext password in the request. Can't do Yubikey authentication
That's pretty clear.
Is TLS-EAP supported with the YubiKey module on freeRADIUS? If so, what am I doing wrong?
Using correct terminology helps. It's EAP-TLS, not TLS-EAP. You can use Yubikey, so long as there's a User-Password in the packet. This means EAP-TTLS, with PAP inside of the tunnel. It doesn't mean PEAP with MS-CHAP.
My users file:
Please read: http://wiki.freeradius.org/list-help Giving random information isn't useful. Copying default configuration files to the list isn't useful. Reading the debug output *is* useful.
(7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: bob (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: MS-CHAP2-Response is incorrect
That's about as clear as you can get. Alan DeKok.